2 Attachment(s)
$this_is_home_page fails with custom parameters
This was just posted in ZX Slideshow thread but it seems to be a general bug.
If you use a URL like
Code:
domain.com/index.php?product_info=107
this will load the product_listing page based on product_id=107 master category. However, canonical URL will show only domain.com
The following screenshot is from a vanilla 1.5.6c with demo products loaded.
Attachment 18970Attachment 18971
Re: $this_is_home_page fails with custom parameters
But ... the "index.php?product_info=107" is not a valid URL in Zen Cart
And, unless the "main_page=product_info" is included in the URL, a default install of Zen Cart does NOT show the product listing when "?product_info=107" is specified, because "product_info=" is not a recognized parameter.
Further, the product-listing page in a default install of Zen Cart requires not only "main_page=product_info", but also "&products_id=107"
I think the bug in this case is whatever is generating the invalid URLs.
Re: $this_is_home_page fails with custom parameters
Quote:
Originally Posted by
DrByte
But ... the "index.php?product_info=107" is not a valid URL in Zen Cart
I couldn't agree more, but perhaps you'll remember when the same problem was happening with canonical URLs and I came up with some crazy ugly solution, which you then beautified and we now have
in init_canonical.php (can't find that thread now).
The problem I'm seeing here is that someone could maliciously post stupid links across the web just to harm your SEO. For example, vanilla install:
domain.com/
domain.com/index.php?products_id=107
domain.com/index.php?products_id=34
domain.com/index.php?products_id=1
domain.com/index.php?products_id=173
All of these will have the exact same canonical URL (home page), but completely different content - aka SEO hara-kiri. :wink:
Re: $this_is_home_page fails with custom parameters
If you get a products_id in $_GET without a main_page, why not just set the main_page to product_info?
Re: $this_is_home_page fails with custom parameters
You could do this in includes/init_includes/init_sanitize.php right after the zen_products_id_valid check.
Re: $this_is_home_page fails with custom parameters
Scott... :bow:
B-E-autiful.
Since it might affect everyone else, may I suggest pushing this into 1.5.7 ? Just something for you guys to consider...
init_sanitize.php
Code:
<?php
/**
* sanitize the GET parameters
* see {@link http://www.zen-cart.com/wiki/index.php/Developers_API_Tutorials#InitSystem wikitutorials} for more details.
*
* @package initSystem
* @copyright Copyright 2003-2019 Zen Cart Development Team
* @copyright Portions Copyright 2003 osCommerce
* @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
* @version $Id: DrByte 2019 Jul 16 Modified in v1.5.6c $
* @todo move the array process to security class
*/
if (!defined('IS_ADMIN_FLAG')) {
die('Illegal Access');
}
$csrfBlackListLocal = array();
$csrfBlackList = (isset($csrfBlackListCustom)) ? array_merge($csrfBlackListLocal, $csrfBlackListCustom) : $csrfBlackListLocal;
if (! isset ( $_SESSION ['securityToken'] ))
{
$_SESSION ['securityToken'] = md5 ( uniqid ( rand (), true ) );
}
if ((isset ( $_GET ['action'] ) || isset($_POST['action']) ) && $_SERVER['REQUEST_METHOD'] == 'POST')
{
$mainPage = isset($_GET['main_page']) ? $_GET['main_page'] : FILENAME_DEFAULT;
if (!in_array($mainPage, $csrfBlackList))
{
if ((! isset ( $_SESSION ['securityToken'] ) || ! isset ( $_POST ['securityToken'] )) || ($_SESSION ['securityToken'] !== $_POST ['securityToken']))
{
zen_redirect ( zen_href_link ( FILENAME_TIME_OUT, '', $request_type ) );
}
}
}
if (isset($_GET['typefilter'])) $_GET['typefilter'] = preg_replace('/[^0-9a-zA-Z_-]/', '', $_GET['typefilter']);
if (isset($_GET['products_id'])) $_GET['products_id'] = preg_replace('/[^0-9a-f:]/', '', $_GET['products_id']);
if (isset($_GET['manufacturers_id'])) $_GET['manufacturers_id'] = preg_replace('/[^0-9]/', '', $_GET['manufacturers_id']);
if (isset($_GET['categories_id'])) $_GET['categories_id'] = preg_replace('/[^0-9]/', '', $_GET['categories_id']);
if (isset($_GET['cPath'])) $_GET['cPath'] = preg_replace('/[^0-9_]/', '', $_GET['cPath']);
if (isset($_GET['main_page'])) $_GET['main_page'] = preg_replace('/[^0-9a-zA-Z_]/', '', $_GET['main_page']);
if (isset($_GET['sort'])) $_GET['sort'] = preg_replace('/[^0-9a-zA-Z]/', '', $_GET['sort']);
$saniGroup1 = array('action', 'addr', 'alpha_filter_id', 'alpha_filter', 'authcapt', 'chapter', 'cID', 'currency', 'debug', 'delete', 'dfrom', 'disp_order', 'dto', 'edit', 'faq_item', 'filter_id', 'goback', 'goto', 'gv_no', 'id', 'inc_subcat', 'language', 'markflow', 'music_genre_id', 'nocache', 'notify', 'number_of_uploads', 'order_id', 'order', 'override', 'page', 'pfrom', 'pid', 'pID', 'pos', 'product_id', 'products_image_large_additional', 'products_tax_class_id', 'pto', 'record_company_id', 'referer', 'reviews_id', 'search_in_description', 'set_session_login', 'token', 'tx', 'type', 'zenid');
foreach ($saniGroup1 as $key)
{
if (isset($_GET[$key]))
{
$_GET[$key] = preg_replace('/[^\/0-9a-zA-Z_:@.-]/', '', $_GET[$key]);
if (isset($_REQUEST[$key])) $_REQUEST[$key] = preg_replace('/[^\/0-9a-zA-Z_:@.-]/', '', $_REQUEST[$key]);
}
}
/**
* process all $_GET terms
*/
$strictReplace = '[<>\']';
$unStrictReplace = '[<>]';
if (isset($_GET) && count($_GET) > 0) {
foreach($_GET as $key=>$value){
if(is_array($value)){
foreach($value as $key2 => $val2){
if ($key2 == 'keyword') {
$_GET[$key][$key2] = preg_replace('/'.$unStrictReplace.'/', '', $val2);
if (isset($_REQUEST[$key][$key2])) $_REQUEST[$key][$key2] = preg_replace('/'.$unStrictReplace.'/', '', $val2);
} elseif(is_array($val2)){
foreach($val2 as $key3 => $val3){
$_GET[$key][$key2][$key3] = preg_replace('/'.$strictReplace.'/', '', $val3);
if (isset($_REQUEST[$key][$key2][$key3])) $_REQUEST[$key][$key2][$key3] = preg_replace('/'.$strictReplace.'/', '', $val3);
}
} else {
$_GET[$key][$key2] = preg_replace('/'.$strictReplace.'/', '', $val2);
if (isset($_REQUEST[$key][$key2])) $_REQUEST[$key][$key2] = preg_replace('/'.$strictReplace.'/', '', $val2);
}
}
} else {
if ($key == 'keyword') {
$_GET[$key] = preg_replace('/'.$unStrictReplace.'/', '', $value);
if (isset($_REQUEST[$key])) $_REQUEST[$key] = preg_replace('/'.$unStrictReplace.'/', '', $value);
} else {
$_GET[$key] = preg_replace('/'.$strictReplace.'/', '', $value);
if (isset($_REQUEST[$key])) $_REQUEST[$key] = preg_replace('/'.$strictReplace.'/', '', $value);
}
}
unset($GLOBALS[$key]);
}
}
/**
* process all $_POST terms
* @todo move the array process to security class
*/
if (isset($_POST) && count($_POST) > 0) {
foreach($_POST as $key=>$value){
if(is_array($value)){
foreach($value as $key2 => $val2){
unset($GLOBALS[$key]);
}
} else {
unset($GLOBALS[$key]);
}
}
}
/**
* process all $_COOKIE terms
*/
if (isset($_COOKIE) && count($_COOKIE) > 0) {
foreach($_COOKIE as $key=>$value){
if(is_array($value)){
foreach($value as $key2 => $val2){
unset($GLOBALS[$key]);
}
} else {
unset($GLOBALS[$key]);
}
}
}
/**
* process all $_SESSION terms
*/
if (isset($_SESSION) && count($_SESSION) > 0) {
foreach($_SESSION as $key=>$value){
if(is_array($value)){
foreach($value as $key2 => $val2){
unset($GLOBALS[$key]);
}
} else {
unset($GLOBALS[$key]);
}
}
}
/**
* validate products_id for search engines and bookmarks, etc.
*/
if (isset($_GET['products_id']) && (!isset($_SESSION['check_valid']) || $_SESSION['check_valid'] != 'false')) {
$check_valid = zen_products_id_valid($_GET['products_id']);
if (!$check_valid) {
$_GET['main_page'] = zen_get_info_page($_GET['products_id']);
/**
* do not recheck redirect
*/
$_SESSION['check_valid'] = 'false';
zen_redirect(zen_href_link($_GET['main_page'], 'products_id=' . $_GET['products_id']));
}
if(!isset($_GET['main_page'])) {
$_GET['main_page'] = zen_get_info_page($_GET['products_id']);
zen_redirect(zen_href_link($_GET['main_page'], 'products_id=' . $_GET['products_id']));
}
}
$_SESSION['check_valid'] = 'true';
/**
* We do some checks here to ensure $_GET['main_page'] has a sane value
*/
if (!isset($_GET['main_page']) || !zen_not_null($_GET['main_page'])) $_GET['main_page'] = 'index';
if (!is_dir(DIR_WS_MODULES . 'pages/' . $_GET['main_page'])) {
if (MISSING_PAGE_CHECK == 'On' || MISSING_PAGE_CHECK == 'true') {
$_GET['main_page'] = 'index';
} elseif (MISSING_PAGE_CHECK == 'Page Not Found') {
header('HTTP/1.1 404 Not Found');
$_GET['main_page'] = FILENAME_PAGE_NOT_FOUND;
}
}
$current_page = $_GET['main_page'];
$current_page_base = $current_page;
$code_page_directory = DIR_WS_MODULES . 'pages/' . $current_page_base;
$page_directory = $code_page_directory;
Re: $this_is_home_page fails with custom parameters
If @drbyte approves, maybe you could create a PR? Join the fun!
Re: $this_is_home_page fails with custom parameters
Quote:
Code:
if(!isset($_GET['main_page'])) {
$_GET['main_page'] = zen_get_info_page($_GET['products_id']);
zen_redirect(zen_href_link($_GET['main_page'], 'products_id=' . $_GET['products_id']));
}
I'm not sure this is correct logic. It assumes that if the main_page param is blank, that a product id is. And blindly redirects to it, even if it's blank.
Re: $this_is_home_page fails with custom parameters
As for the initial situation where this was encountered, I'm guessing the store was formerly using some sort of URL-rewriter? Perhaps contingencies for having changed that situation should be implemented on that store.
Re: $this_is_home_page fails with custom parameters
Quote:
Originally Posted by
DrByte
I'm not sure this is correct logic. It assumes that if the main_page param is blank, that a product id is. And blindly redirects to it, even if it's blank.
Uhm, what do you mean "even if it's blank"? :blink: It can't be blank, it's inside
Code:
if (isset($_GET['products_id']) && (!isset($_SESSION['check_valid']) || $_SESSION['check_valid'] != 'false')) {
Can't think of any valid situation where main_page would be blank, but products_id would exist... Maybe it's just my time to go to bed...
It's definitely an invalid URL so we're just trying to get the best out of it.
I have no idea if some URL rewriter was used, I only noticed potential problems with canonical URLs, otherwise would've never posted it here...